PDA

View Full Version : OS X Attack Code Released, and iTunes AAC Security Vulnerability Patched


MacRumors
Jun 29, 2006, 03:10 PM
http://www.macrumors.com/images/macrumorsthreadlogo.gif (http://www.macrumors.com)

According to News.com (http://news.com.com/2100-1002_3-6089630.html), security researcher Kevin Finisterre at Digital Munition has released "attack code" to the public that can locally exploit the launchd daemon.

"Attackers may exploit this issue to execute arbitrary code with elevated privileges," Symantec said in a security alert to customers that was updated on Thursday.

The code affects Mac OS 10.4.0 - 10.4.6 (excluding the recently released 10.4.7 (http://www.macrumors.com/pages/2006/06/20060627161810.shtml) and 10.3.x). The same researcher also created a proof-of-concept Bluetooth exploiting worm (http://news.com.com/Bluetooth+worm+targets+Mac+OS+X/2100-7349_3-6041091.html) earlier this year. According to News.com, his actions are in part to show that Apple software is not unbreakable.

Also mentioned in the article is that iTunes 6.0.5 is quietly patching an AAC parsing flaw.

Parsing a maliciously-crafted AAC file could cause iTunes to terminate or potentially execute arbitrary code. iTunes 6.0.5 addresses this issue by improving the validation checks used when loading AAC files.

Digg this story (http://digg.com/security/OS_X_Attack_Code_Released,_and_iTunes_AAC_Security_Vulnerability_Patched)

dizastor
Jun 29, 2006, 03:12 PM
another proof of concept. This isn't cool. Eventually someone will release one of these things in a less than sanitary manner.

iGary
Jun 29, 2006, 03:13 PM
How about in English? ;)

KEL9000
Jun 29, 2006, 03:16 PM
another proof of concept. This isn't cool. Eventually someone will release one of these things in a less than sanitary manner.


at least they released it after it had been fixed by apple.

Peace
Jun 29, 2006, 03:18 PM
More bad publicity for Apple..Shows me that Apple is becoming a threat to the PeeCee world and because of this is coming under increasing PR attacks.

michaeldmartin
Jun 29, 2006, 03:19 PM
They have released a virus in a less-than-sanitary manner: Skype. (Leaked Beta) It was an accident, from a bug.. If you want to think of it as a virus, that is.

joshysquashy
Jun 29, 2006, 03:21 PM
Yet another example of why you should always download updates as soon as they are released - they often fix issues, and often highlight previous flaws which some people then take advantage of.

caveman_uk
Jun 29, 2006, 03:21 PM
[ According to News.com, his actions are in part to show that Apple software is not unbreakable.

So it's not just willy waving then? Oh good. :rolleyes:

Seriously, Apple has one day to get people patched and this 'security researcher' releases exploit code on the web. Well thank you. At least it's only a local exploit.

rowanhall
Jun 29, 2006, 03:22 PM
another proof of concept. This isn't cool. Eventually someone will release one of these things in a less than sanitary manner.

exactally what i was thinking bro! i like living in my wee bubble...

RichP
Jun 29, 2006, 03:25 PM
http://rtechnic.com/images/quantumleap.jpg


As stated indirectly by mlr, still better than Windows. Unfortuneatly, Apple's high profile is going to make it more of a target, even if the marketshare is as low as it is.

zap2
Jun 29, 2006, 03:25 PM
well since 10.4.7 stops it, no real worrys

michaelrjohnson
Jun 29, 2006, 03:29 PM
Gosh... a single proof of concept of a local exploit... :rolleyes:

This really isn't that big of a deal. Moral of the story: run Software Update regularly. Apple has done really well in patching their own holes, and responding to these types of "exploits".

That being said, nobody (even Apple) claimed that Macs are somehow immune to security exploits, attacks, and viruses. Nobody should be surprised that these types of things exist, and will someday have a greater impact on your workflow.

MacsRgr8
Jun 29, 2006, 03:30 PM
well since 10.4.7 stops it, no real worrys

Yep.. the're too late IMHO. ;)

Doctor Q
Jun 29, 2006, 03:30 PM
at least they released it after it had been fixed by apple.Mac OS X 10.4.7 may fix it for Mac OS X 10.4, but Mac OS X 10.3 and earlier may have the same vulnerability. I generally feel safer with the latest O.S. release, even though new flaws will invariably be discovered, because at least the widely known flaws are fixed.

longofest
Jun 29, 2006, 03:31 PM
Mac OS X 10.4.7 may fix it for Mac OS X 10.4, but Mac OS X 10.3 and earlier may have the same vulnerability. I generally feel safer with the latest O.S. release, even though new flaws will invariably be discovered, because at least the widely known flaws are fixed.

10.3 is not affected by the launchd vulnerability.

Jetson
Jun 29, 2006, 03:32 PM
I liked that worm crawling out of the apple graphic :D

Mac Pwnz You
Jun 29, 2006, 03:32 PM
Who really cares? No software is "un-breakable" and nobody ever said that Apple software was. It is still, better, more user-friendly, and more secure than Windows.

Texas04
Jun 29, 2006, 03:33 PM
I have to agree with the Water analogy posted above...

My mac alows me to be safer, not immune, and work better than I could ever do with Windows... And Apple does a good job of securing its software, and making sure that everything runs fine "out of the box".

"I'd rather drink water from my local restaraunt, than one in Mexico"


P.S. I'm Mexican to.... :rolleyes: And i still love my heritiage and home country!!! :D

longofest
Jun 29, 2006, 03:35 PM
I liked that worm crawling out of the apple graphic :D

It's actually a really old graphic we have on the system. We've shunned some of the older ones for the more classic "news" and "rumor" graphics (aka the newspaper and question mark), but I thought I'd bring out the worm for this one :p

Cubert
Jun 29, 2006, 03:36 PM
Obviously, Apple is on top of things. Their latest releases patch the issue.

iJaz
Jun 29, 2006, 03:37 PM
"Mac's not invulnerable" :eek:

tveric
Jun 29, 2006, 03:46 PM
"Mac's not invulnerable" :eek:

We really need a Slashdot-like moderating system.... -1 Troll!

yellow
Jun 29, 2006, 03:54 PM
According to News.com, his actions are in part to show that Apple software is not unbreakable.

Damnit, who keeps saying that it is? Well, cut it out!! :rolleyes:

XNine
Jun 29, 2006, 03:55 PM
*yawn*

So, really, who gives a damn? I don't want proof-of-concept. I want proof that it works in the wild. Come on now. Someone do something here. Quit making all of these claims. It's like foreplay without the ending. Ya know? WTF?

dejo
Jun 29, 2006, 03:56 PM
Wait. According to the "security through obscurity" people, nobody is writing exploits for Mac OS X because of its low marketshare. How can this be? ;)

eva01
Jun 29, 2006, 03:59 PM
Time to update my PM to 10.4.7 me thinks

shamino
Jun 29, 2006, 04:00 PM
well since 10.4.7 stops it, no real worrys
And iTunes 6.0.5, which just came out today. So remember to hit up Software Updates the next time you get a chance. Downloading iTunes 6.0.5 for Windows would also probably be a good idea. (Assuming you're running iTunes on Windows, of course :) )

nxent
Jun 29, 2006, 04:02 PM
i think apple should create the equivalent of a 'counter-apple' division... a group who's sole purpose is to hack and break OS X. report their findings to the folks who write the os x code so they can fix it.

bigbassist
Jun 29, 2006, 04:07 PM
i think apple should create the equivalent of a 'counter-apple' division... a group who's sole purpose is to hack and break OS X. report their findings to the folks who write the os x code so they can fix it.


I'd jump on that task force....That would be awesome!!:D

michaeldmartin
Jun 29, 2006, 04:08 PM
The new itunes wasn't to fix that, shamino, it was to add nike support.

solvs
Jun 29, 2006, 04:21 PM
i think apple should create the equivalent of a 'counter-apple' division... a group who's sole purpose is to hack and break OS X. report their findings to the folks who write the os x code so they can fix it.
They already have that. Guess they weren't doing their jobs very well. I'm not too worried, OS X is still more secure than Windows, and I run that too sometimes. Always do backups, don't download anything if you don't know where it came from, keep your software updated, run firewalls (hw and sw) and AV if you have to, you'll probably be alright.

Killyp
Jun 29, 2006, 04:21 PM
The new itunes wasn't to fix that, shamino, it was to add nike support.

The new iTunes does fix it. It adds a random way to generate something with something or something along those lines...

I can't remember even though I read it 2 minutes ago, but iTunes 6.0.5 DOES fix it...

MacBoobsPro
Jun 29, 2006, 04:41 PM
I think releasing the code is a very stupid thing to do. For those who have not run Software Update and those who swear by 'if it aint broke dont fix it' i.e. 10.4.4 then they will all be vulnerable to attack wont they?

Dumbass

mmzplanet
Jun 29, 2006, 04:51 PM
Already at 10.4.7 ;)

Yeah it sucks... but all the more reason to always update. I never expect apple to be perfect... just expect them to be a lot better than Microsoft. The track record shows...... they are. :D

jaxstate
Jun 29, 2006, 04:51 PM
Some people have way too much time on their hand. Who thought OSX (or any OS) is 100% safe from virii/hacker/trojan horses. Sheesh, get a life already.

crap freakboy
Jun 29, 2006, 05:01 PM
Why would you do this? Make something that could be destructive to so many people and release it in the public domain. I'm so tired of these industries that create both the problems and then the solution for ...a dollar or two.

just tired of so much crap being done to people and their lives in the name of 'business'. I'll take a happy pill tomorrow I promise.:D

BakedBeans
Jun 29, 2006, 05:02 PM
Is this confirmed to actually do anything

I could in theory write this

"I have written 14 viruses that delete all the users hardware running mac OS 7.4.1 - 10.4.6, they set fire to the hardrive and burn your house down, thing is... 10.4.7 is out now... so it doesn't work'

doesn't mean anything actually works.

yellow
Jun 29, 2006, 05:11 PM
It may be that this was done because Apple was dragging their heels on fixing it. What better way to force their hand than to create a proof-of-concept and bring it to the forefront of pros/cons/haters/fanbois?

It's just a step above this:

http://www.alastairs-place.net/archives/000079.html

jriveractu
Jun 29, 2006, 05:15 PM
that guy sure doesn't have anything better to do with his time ... bet he got bored trying to find flaws in windows (I wonder why? :rolleyes: )

tdhurst
Jun 29, 2006, 05:21 PM
Not all padlocks are unbreakable!

Not all security measures are foolproof!

Mac OS X is not immune to all exploits!

Gee...

ibook30
Jun 29, 2006, 05:27 PM
that guy sure doesn't have anything better to do with his time ... bet he got bored trying to find flaws in windows (I wonder why? :rolleyes: )

Fame and fortune will surely follow for anyone who crack the appple code... yes, it is weak sarcasm, buta grain of truth exists there. The fact that one person can create something that pushes a big company to act, well that is impressive. It's good that folks push, and keep apple from being complacent. It's also scary as a user of the product, but so is driving home from work ( crazy drivers are way more dangerous than a virus) .

Bradley W
Jun 29, 2006, 05:27 PM
_

zephead
Jun 29, 2006, 05:32 PM
All those anti-mac people saying "See? Apple isn't invulnerable. Get Windows." should just shove it. It can be likened to Microsoft being covered in mud and then making a big deal about Apple having a little smudge on itself. :rolleyes:

illegalprelude
Jun 29, 2006, 05:32 PM
yea, thats it! I quit. Im going back to a pc? :confused: eeerrr :rolleyes:

hulugu
Jun 29, 2006, 05:32 PM
Oh noes! The sky is falling, the sky is falling. The Mac is DOOMED! Run. Buy Windows, maybe that will appease the great computer gods. Scream. Commit Hari Kari. Kiss your loved ones goodbye.

Ahhhhhh!

Demoman
Jun 29, 2006, 06:03 PM
Why would you do this? Make something that could be destructive to so many people and release it in the public domain. I'm so tired of these industries that create both the problems and then the solution for ...a dollar or two.

just tired of so much crap being done to people and their lives in the name of 'business'. I'll take a happy pill tomorrow I promise.:D

You express my sentiments exactly. If this yo-yo is trying to impress people with his intelligence, for me he failed the first test of common sense. Furthermore, if my company was doing business with his, I would drop them immediately after sending a letter to their stock analyst(s) and board of directors.

DeathChill
Jun 29, 2006, 06:37 PM
I think it was more to show that there are flaws in OS X (which is obvious) as everyone touts security as OS X's best strength but there were two major flaws unpatched for quite some time. This certainly doesn't make Windows better, but it's true that in the Windows world those flaws would have already been exploited and Windows would have been called weak in the security department.

EDIT:

Uh, it's not THAT big of a deal. It's a concept 'virus' so don't get too worked up. If he hadn't shown anything then everyone would have said "SUUUUUUUUURE."

Lixivial
Jun 29, 2006, 06:42 PM
*yawn*

So, really, who gives a damn? I don't want proof-of-concept. I want proof that it works in the wild. Come on now. Someone do something here. Quit making all of these claims.

Myself, I'd prefer a proof-of-concept released after it's been patched rather than zero-day unpatched exploits. But to each his own. :)

alec
Jun 29, 2006, 06:44 PM
This seems like a waste of time. What is this guys point apart from proving 'Apple isn't an impregneable fortress"?

inkswamp
Jun 29, 2006, 06:50 PM
Anybody have that graphic from Fark handy? The one with the guy holding his head, looking pained and the caption, "Oh God, not this s*** again."

yellow
Jun 29, 2006, 06:52 PM
"Oh God, not this s*** again."

You mean this one?

http://www.gothamist.com/images/2004_12_scottbaio.jpg

:D :D

Boggle
Jun 29, 2006, 07:19 PM
This just isn't making me quiver w/ fear. Wow, somebody found a way to exploit an operating system. Maybe we should abandon the electron and try running everything on Superman's Crystal Technology. :rolleyes:

Is there really a market out there that thinks the invulnerable OS is hrs away?

10. People build things.
20. Other People find ways to exploit what's been built.
30. People patch the problem.
40. Go to 20.

Can somebody show me where the surprise part comes in?

gekko513
Jun 29, 2006, 07:22 PM
This seems like a waste of time. What is this guys point apart from proving 'Apple isn't an impregneable fortress"?
He's trying to build his career in the computer security field. It's probably working, too.

coffey7
Jun 29, 2006, 07:37 PM
If I ever find any of the people who create these viruses I will drop kick them right in the face. Then maybe I will slam there hands in my car door.losers get a life.

bjweeks
Jun 29, 2006, 07:43 PM
If I ever find any of the people who create these viruses I will drop kick them right in the face. Then maybe I will slam there hands in my car door.losers get a life.

Don't you just love empty threats on the internet? :rolleyes:

macEfan
Jun 29, 2006, 07:44 PM
hahhahha my computer won't be affected:D I always upgrade to the next OS after the next next OS comes out. Its cheaper to upgrade, and most of the bugs are out.. I'm still happily running OS X.3 with no fear of viruses

Dagless
Jun 29, 2006, 07:50 PM
good! Apple need a bloody good kick up the arse to solve this problem. releasing it to the public is a good idea. Security update imminent I reckons.
I bet it's just the prideful people who voted negative on this. It's great they release this! the quicker its addressed by Apple the quicker OSX is stronger.

theBB
Jun 29, 2006, 07:52 PM
good! Apple need a bloody good kick up the arse to solve this problem. releasing it to the public is a good idea. Security update imminent I reckons.
I bet it's just the prideful people who voted negative on this. It's great they release this! the quicker its addressed by Apple the quicker OSX is stronger.
10.4.7 already fixes it.

Philoman
Jun 29, 2006, 08:05 PM
No, Apple software isn't perfect. However, I'd rather drink chlorinated tap water from a restaurant than anything from Mexico.

Well, a lot of people sure drink a lot of Coronas. :D

lOUDsCREAMEr
Jun 29, 2006, 08:46 PM
conspiracy/

seems some AV co are starting to write "mac viruses"..

Krizoitz
Jun 29, 2006, 08:49 PM
Hmm time for an analogy. There are two cars, car A and car B. Car A is crap. It breaks down all the time, is made of shoddy parts, gets the worst safety ratings possible etc. Car B is great, hardly ever breaks down, good solid parts, highest safety ratings.

Some yahoo comes along, sees that Car B can get in an accident just like Car A, and decides this is newsworthy.

Of course, no one ever claimed that Car B couldn't get in an accident. Or break down. Or run out of gas. All anyone ever did was claim that Car B was BETTER than Car A.

Shocking that MacOS X isn't perfectly invulnerable. Gee I thought that it was absolutely flawless! I'm shocked i tell you, SHOCKED.

You have got to be kidding me. I test software for a living. Even the simplest of programs used today (say TextEdit) are complicated enough that it is beyond reasonable to try and test it in every way possible. So sometimes, *gasp* a bug gets out, or an unitended hole gets created. Frankly I think that Apple's track record in protecting us more than enough for me to trust them. This guy? Whatever, he just wants attention.

dagger01
Jun 29, 2006, 09:08 PM
I do a search of the Symantec website for "launchd" and get no results. Anyone have a link to the actual threat description and this stealth announcement by Symantec? If not, I'm calling shenanigans. Plus, if it's like the Bluetooth exploit, the user has to be a willing participant in the infection process, i.e., double click this attachment you got for somebody you don't know, stupid! I'm sorry, I don't consider stupidity a vulnerability to the operating system. I can write a piece of spyware for Mac OS X to run malicious code if the idiot user has to launch it first! Not that it makes it any less dangerous, but how dumb do you have to be these days to fall for that trap? Most Windows exploits are exploitable from outside the computer, or without the user's direct control. Don't see many of those with Mac OS X, not that they haven't existed, but they are usually patched before they are exploited in any massive way.

dagger01
Jun 29, 2006, 09:13 PM
good! Apple need a bloody good kick up the arse to solve this problem. releasing it to the public is a good idea. Security update imminent I reckons.
I bet it's just the prideful people who voted negative on this. It's great they release this! the quicker its addressed by Apple the quicker OSX is stronger.

Is your head in the sand or did you not read the article? It's already been fixed as of 10.4.7, and was not even a vulnerability for 10.3.9. This whole story stinks of virus company FUD.

McDave
Jun 29, 2006, 09:23 PM
Myself, I'd prefer a proof-of-concept released after it's been patched rather than zero-day unpatched exploits. But to each his own. :)

What! You mean there's a difference? :eek:

Surely "hypothetically vulnerable"="thousands of virus attacks per year" just like "dozens of DVD authoring titles"="I'm gonna actually produce home DVDs....maybe, next year"

Never let reality get in the way of credible speculation

McD

P.S. Would the vulnerability be exploited by those automatic viruses or will I have to manually install them again? (quite labour-intensive)

1020
Jun 29, 2006, 09:53 PM
Hmm time for an analogy. There are two cars, car A and car B. Car A is crap. It breaks down all the time, is made of shoddy parts, gets the worst safety ratings possible etc. Car B is great, hardly ever breaks down, good solid parts, highest safety ratings.

Some yahoo comes along, sees that Car B can get in an accident just like Car A, and decides this is newsworthy.

Of course, no one ever claimed that Car A couldn't get in an accident. Or break down. Or run out of gas. All anyone ever did was claim that Car A was BETTER than Car B.



I think you got your As and your Bs mixed up.

mmzplanet
Jun 29, 2006, 11:02 PM
If it ever gets used againast those who are not protected... are they gonna slap this guy like they do when they catch worm/virus creators?

Then again...because you are the gun maker..its not really your fault your product killed somebody. :D

sam10685
Jun 29, 2006, 11:08 PM
we're all gonna die!!! (Actually no we wont. apple will just make a security fix.)

dejo
Jun 29, 2006, 11:14 PM
we're all gonna die!!! (Actually no we wont. apple will just make a security fix.)

You mean like the one they already made to fix this in 10.4.7 that was released a few days ago? :)

eric_n_dfw
Jun 30, 2006, 12:03 AM
Yet another example of why you should always download updates as soon as they are released - they often fix issues, and often highlight previous flaws which some people then take advantage of.
Except for the times that an update breaks something. Ever since the ethernet driver debacle of 2003 where G4 PowerMac's lost ethernet connectivity (10.2.8 (http://docs.info.apple.com/article.html?artnum=107669)) -- including mine -- I wait about a week or two and monitor sites like xlr8yourmac.com for other's reviews before jumping in with an update.

Phil A.
Jun 30, 2006, 01:23 AM
I haven't been able to find any specifics about this, but I did find details about a potential exploit against launchd from last year. This exploit used a race condition bug within launchd to change permissions on an arbitrary file. From the description of this exploit, it could be the same one being rehashed. Details on the one I have found are here (http://www.suresec.org/advisories/adv3.pdf)

Krizoitz
Jun 30, 2006, 02:03 AM
I think you got your As and your Bs mixed up.

I have no idea what you are talking about, i sooo didn't just edit it :D

cwedl
Jun 30, 2006, 02:45 AM
I think thats cool he found the 'hole' in apples software, but why release it, maybe get someone else like cnet labs or something to verify it and then delete it.

stunna
Jun 30, 2006, 02:58 AM
Gosh... a single proof of concept of a local exploit... :rolleyes:

This really isn't that big of a deal. Moral of the story: run Software Update regularly. Apple has done really well in patching their own holes, and responding to these types of "exploits".

That being said, nobody (even Apple) claimed that Macs are somehow immune to security exploits, attacks, and viruses. Nobody should be surprised that these types of things exist, and will someday have a greater impact on your workflow.

I was watching TV one day and it said that macs cant get viruses

BakedBeans
Jun 30, 2006, 03:24 AM
I was watching TV one day and it said that macs cant get viruses

They were wrong, macs can get viruses BUT 1) we don't have any 2) its much harder to write one that does anything serious

Lollypop
Jun 30, 2006, 03:31 AM
If security companies are starting to write proof-of-concept viruses for mac os I personally think its a good idea, Apple has been hiding behind the Unix supperiour security bit for to long!

Security company writes vulnerability attack , informs apple about it, release it out in the wild 2 months later. That way Apple has to react, security companies can create security products and make money by selling security products, we have a secure operating system... I dont see a down side.

bigandy
Jun 30, 2006, 03:41 AM
All those anti-mac people saying "See? Apple isn't invulnerable. Get Windows." should just shove it. It can be likened to Microsoft being covered in mud and then making a big deal about Apple having a little smudge on itself. :rolleyes:
Couldn't have said it better myself :)



And what's with this? Yet another thread where I've read the same conversation on several pages! Do people not read? DAMNIT! :mad:

thestaton
Jun 30, 2006, 04:21 AM
I dont see how this is any better than a person releasing a virus. This guy should be prosecuted and I hope apple does so. not everyone is going to upgrade to 10.4.7 unless it does it for them, for those few people still on dialup may not have much of an option. I hope they put this pos in jail.

inkswamp
Jun 30, 2006, 04:36 AM
You mean this one?

Heh... close.

No, actually I found the one I was looking for with a couple of Google image searches. This one should be at the start of every proof-of-concept virus story posted to any Mac site. (Hmm... MacRumors is filtering out the s-word. Replace the four asterisks with it to see the image.)

http://www.johnberman.com/pics/funny/not_this_****_again.jpg

avkills
Jun 30, 2006, 07:32 AM
If security companies are starting to write proof-of-concept viruses for mac os I personally think its a good idea, Apple has been hiding behind the Unix supperiour security bit for to long!

Security company writes vulnerability attack , informs apple about it, release it out in the wild 2 months later. That way Apple has to react, security companies can create security products and make money by selling security products, we have a secure operating system... I dont see a down side.


No that is a real bad idea. Windows sucks ass because half your CPU cycles are taken by the AV software checking every god damn file for anything that resembles the 4 million virus definitions it has stored on the machine.

In my opinion, OS X does not need AV software. Apple should actually change the installation process to include the option to make a non-admin user which further increases security. I do it because it makes the machine a lot safer and also prevents you from messing up the OS by accident. Not that I need it; I just do it because my day to day user does not need admin rights.

-mark

peharri
Jun 30, 2006, 08:15 AM
This is a proof of concept that was due a while ago. Those saying "What's the point? To prove Mac OS X isn't invulnerable? Duh, we knew that!" forget that, actually, a large portion of the Mac community have been arguing for the longest time that the Mac pretty much is, either by design or "just is", virus free. This "message" is not to those of you saying "Well of course it's not invulnerable!", it's to those who insist on giving the opposite impression.

That said, I still don't think anyone's going to take security on the Mac that seriously until a major strike occurs. That will not happen for a while because the Mac's low penetration works against most virusses - that is, a virus needs a high probability of it hitting infectable computers in order for it to spread, and while Mac OS X languishes around the 2.5% mark, that's built-in security.

There are large holes in Mac OS X waiting to be exploited. Many of them are social - most people's primary accounts are admin accounts, with any programs they run able to patch anything in /Applications without prompting for passwords, and it's easy to get a dialog to appear that looks like Software Update asking for your root password. Seriously, if I wasn't worried about the potential for lawsuits, I'd do it, just to prove the point (I'm not talking about writing a malicious program, just a .app that gets you to enter your password in the way I'm describing) Mac OS X isn't perfect, it's not even, by design, more secure than Windows NT/2000/XP when both operating systems are correctly set up. Windows NT/2000/XP end up being less secure through combinations of higher marketshare, and poorer default user-land security, but there are tools in NT/2000/XP that, were users using them properly, would make the OS very difficult indeed to get in to.

On the flip side, I'd say Apple's to be congratulated in trying to make sure the userland is relatively secure, keeping up with updates (even in the absense of live exploits) and making the Software Update process relatively painless and a positive experience for most users.

The important thing, for everyone, is to keep on their guard, and ignore the small but vocal band of advocates who keep claiming "Windows suxxxxs! It has tons of viri, you can't get viriii on Mac OS X, it's based on Unix!!!" You're probably ignoring them anyway, otherwise you wouldn't be posting the sarcastic comments about OS X being invulnerable, but...

whooleytoo
Jun 30, 2006, 09:03 AM
I think thats cool he found the 'hole' in apples software, but why release it, maybe get someone else like cnet labs or something to verify it and then delete it.

I think releasing the exploit is a good thing, though in this case I think it was released far too quickly. People who report vulnerabilities tend to behave responsibly and give the vendor (in this case, Apple) time to patch the software.

But, once patched, it's good that this information comes into the public domain, so users can know, rather than guesstimate, how secure their systems really are and how important it is to install these security updates. It's far better than living in ignorance, and keeping your fingers crossed that crackers are too.

macnews
Jun 30, 2006, 09:29 AM
I don't mind people testing OSX for problems. I don't even mind posting it to the web if they have given the company time to respond (and not just one email).

What I hate is how this will be picked up as being equivalent to a major virus on windows. They all de-emphasize the importance of the LOCAL aspect. So yes, luanchd exploits can be very bad - but when you see some guy standing at your computer that you don't know, greet him/her with your shotgun or a call to the police. Of course I am going to the extreme but I feel that is comparable to what the window pundits will do.

Oh, wait.... I just discovered an even bigger local exploit....

.......WARNING......
OS X is found to be volunerable for versions 10.0 - 10.4.7. A local exploit has recently been discovered which could create havoc for a mac OSX machine. The exploit is so powerful it can earse an entire hard drive, destroying all of your data. It can also allow the local intruder to gain access to all of your private information via Apple's Keychain utility - a program that stores your user name and password to internet sites like those used for banking and credit cards. The exploit is so powerful that once discovered it can even be used remotely. Thus, it is most important you do not tell anyone your administrator password to your mac OSX machine. If someone were to have your password, they would be able to totally control your computer. Be ware! It is felt for the safety of all involved using OSX you should thus switch to windows.
Sincerely, your favorite virus company and Bill Gates.

pilotError
Jun 30, 2006, 09:44 AM
Security company writes vulnerability attack , informs apple about it, release it out in the wild 2 months later. That way Apple has to react, security companies can create security products and make money by selling security products, we have a secure operating system... I dont see a down side.

Thanks...

Amid all the Drama I was starting to think folks just don't get it...

All pretty standard stuff in the PC world. Coming soon to a Mac near you!

ready2switch
Jun 30, 2006, 10:00 AM
Of course people will try to find the exploits in OS X, particularly after Apple announces to the world that there are NO viruses for Mac. Will this continue? Probably. But I'd take an OS that fixes security vulnerabilities BEFORE they are exploited over an OS that waits several months to release a security patch for a well known problem.

Stella
Jun 30, 2006, 10:51 AM
I dont see how this is any better than a person releasing a virus. This guy should be prosecuted and I hope apple does so. not everyone is going to upgrade to 10.4.7 unless it does it for them, for those few people still on dialup may not have much of an option. I hope they put this pos in jail.

Personally, I think this release is a good thing - people should not be prosecuted for this. It encourges the developers to get off their arses and fix the security hole.

dagger01
Jun 30, 2006, 12:25 PM
No that is a real bad idea. Windows sucks ass because half your CPU cycles are taken by the AV software checking every god damn file for anything that resembles the 4 million virus definitions it has stored on the machine.

In my opinion, OS X does not need AV software. Apple should actually change the installation process to include the option to make a non-admin user which further increases security. I do it because it makes the machine a lot safer and also prevents you from messing up the OS by accident. Not that I need it; I just do it because my day to day user does not need admin rights.

-mark

1.) What version of Windows, and what virus software, on what machine slows down like that? Your data may be old on that front. NAV used to slow machines down in the Windows 98/ME/2000 days, but not today.

2.) Creating a non-admin user will protect the OS and settings, but not your data from malicious code

3.) If you believe OS X doesn't need virus software, well, you're entitled to your opinion, but it's a very naive and uneducated one. If you interact in a working environment with Windows users you can still spread a virus with a Mac even if the Mac itself is immune. Certainly doesn't make you popular in the office. If you don't interact with Windows users, sharing files, then there is still the risk of exploits based on services you run on your system, or malicious code embedded in applications that could compromise your machine. You are NOT immune from harm just because you use a Mac. You are LESS immune, but not impervious by any means.

dagger01
Jun 30, 2006, 12:55 PM
peharri,

I agree with your premise, but would like to rebut a couple of points you made that aren't entirely accurate based on the OS differences between Windows and Mac OS X.

I still don't think anyone's going to take security on the Mac that seriously until a major strike occurs. That will not happen for a while because the Mac's low penetration works against most virusses - that is, a virus needs a high probability of it hitting infectable computers in order for it to spread, and while Mac OS X languishes around the 2.5% mark, that's built-in security.

Your principle points are correct, i.e., market share and numbers being low makes the Mac a low priority target. However, it really depends on the intent of the attack. If someone creating malicious code for the Mac has the sole intent of making the lives of Mac users miserable by deleting all their files in the ~/Documents folder, well, that small market share isn't going to mean diddly to them. They're just angry, or bored, and want to cause harm.

Mac OS X isn't perfect, it's not even, by design, more secure than Windows NT/2000/XP when both operating systems are correctly set up. Windows NT/2000/XP end up being less secure through combinations of higher marketshare, and poorer default user-land security, but there are tools in NT/2000/XP that, were users using them properly, would make the OS very difficult indeed to get in to.

That's not entirely true. Mac OS X is, by design, more secure at the network layer than Windows. Apple chose the BSD network layer BECAUSE of its superior security record, and not performance for sure.

I need to point out "correctly set up" is a very relative statement. There are certain configurations that are insecure by nature because of the amount of utility needed by the user. Proper, or "correct", security practices go beyond the physical and software configuration of any machine. They involve an active participant to audit the machine based on the services running, and this includes user intervention in the form of manual software updates.

Windows "[ends] up being less secure through combinations" of poor programming practices and a legacy code base that is tens of millions of lines long, coupled with inadequate, system-level checks and balances that allow random processes to edit any file at will; including the registry. Mac OS X has, at least, a password mechanism for verifying and confirming software installs that are writing to private system directories. Windows does not do this, at all, ever! That's a very DUMB thing and has nothing to do with the user or his/her practices. It has to do with a fundamental design flaw in the Windows system architecture. Period. No code should be able to write to a system directory without admin/superuser approval. It's a check on malicious code that Microsoft STILL fails to address.

Beyond those items, I'm totally with you. Mac OS X users need to be less dismissive of exploits without at least educating themselves as to what they do and how they do it. Although, this particular exploit seems to have no facts to back it up. I'm not sure where this mysterious Symantec bulletin is, nor have I been able to find any sources, beyond the CNet article, to verify this supposed exploit even exists. I think CNet has gone to the dogs. I, for one, have pretty much given CNet the finger. There's nothing they say that seems worth reading these days. It's either uneducated opinion, or simply bogus FUD.

.......WARNING......
OS X is found to be volunerable for versions 10.0 - 10.4.7. A local exploit has recently been discovered which could create havoc for a mac OSX machine. The exploit is so powerful it can earse an entire hard drive, destroying all of your data. It can also allow the local intruder to gain access to all of your private information via Apple's Keychain utility - a program that stores your user name and password to internet sites like those used for banking and credit cards. The exploit is so powerful that once discovered it can even be used remotely.

LOL...you mean the install CD/DVD which will let you reset the password for any user and then you have COMPLETE control over the machine? That's an exploit that people seem to forget about, and is probably the greatest "local" threat to Mac OS X. Takes less than three minutes to implement and can be totally transparent to the user if you use the 'root' user as the object for the password change. I've done this just to mess with people. It's a lot easier than most might think to do and is the single greatest threat to Mac OS X security given there is no boot password for the Mac BIOS to prevent it.

bosrs1
Jun 30, 2006, 01:05 PM
another proof of concept. This isn't cool. Eventually someone will release one of these things in a less than sanitary manner.
It's nice to know Symantec is exploring the minute little holes that may exist in OSX and then publishing them to give their business on Mac a boost.

avkills
Jun 30, 2006, 01:50 PM
1.) What version of Windows, and what virus software, on what machine slows down like that? Your data may be old on that front. NAV used to slow machines down in the Windows 98/ME/2000 days, but not today.

2.) Creating a non-admin user will protect the OS and settings, but not your data from malicious code

3.) If you believe OS X doesn't need virus software, well, you're entitled to your opinion, but it's a very naive and uneducated one. If you interact in a working environment with Windows users you can still spread a virus with a Mac even if the Mac itself is immune. Certainly doesn't make you popular in the office. If you don't interact with Windows users, sharing files, then there is still the risk of exploits based on services you run on your system, or malicious code embedded in applications that could compromise your machine. You are NOT immune from harm just because you use a Mac. You are LESS immune, but not impervious by any means.

I've seen PowerPoint (Office 2003) on Windows (XP SP 2) come to a crawl scanning a file for malicious code. I do work in a Windows environment; as I am the only Mac user (video production) and I have yet to spread any virus. Needless to say, AV software robs CPU cycles.

I know the Mac is not immune, but for all practical purposes getting a virus on a Mac is something that would require user interaction in some way. It is very hard to do something in OS X that changes system files without user participation. As far as harming user files; yes that is easier, but I think you would still need the user to actually do something like double click a file or something.

-mark

zephead
Jun 30, 2006, 04:31 PM
.......WARNING......
OS X is found to be volunerable for versions 10.0 - 10.4.7. A local exploit has recently been discovered which could create havoc for a mac OSX machine. The exploit is so powerful it can earse an entire hard drive, destroying all of your data. It can also allow the local intruder to gain access to all of your private information via Apple's Keychain utility - a program that stores your user name and password to internet sites like those used for banking and credit cards. The exploit is so powerful that once discovered it can even be used remotely. Thus, it is most important you do not tell anyone your administrator password to your mac OSX machine. If someone were to have your password, they would be able to totally control your computer. Be ware! It is felt for the safety of all involved using OSX you should thus switch to windows.
Sincerely, your favorite virus company and Bill Gates.
And we're supposed to believe them that Window's won't do that? I'd totally like to see McAfee and Bill Gates make asses out of themselves by saying that. :D

solvs
Jun 30, 2006, 08:31 PM
What I hate is how this will be picked up as being equivalent to a major virus on windows.
Dog bites man, not news. Man bites dog, news. Nature of the machine. Everybody knows Windows sucks. :)

macnews
Jul 1, 2006, 01:11 PM
LOL...you mean the install CD/DVD which will let you reset the password for any user and then you have COMPLETE control over the machine? That's an exploit that people seem to forget about, and is probably the greatest "local" threat to Mac OS X. Takes less than three minutes to implement and can be totally transparent to the user if you use the 'root' user as the object for the password change. I've done this just to mess with people. It's a lot easier than most might think to do and is the single greatest threat to Mac OS X security given there is no boot password for the Mac BIOS to prevent it.

I agree, the method you mentioned (which I have also used) is a major vulnaralbility. However, it requires someone to actually be in front of the actual computer. 99% of computer virus or hacks are done remotely. From just a simplicity aspect, no one is going to take the time (let alone be phisically able) to infect MILLIONS of computer with a virus by using a local exploit. Dangerous and at least should be addressed - agree 100% with you. But the bigger concerns are those that come over the internet and are done remote, not local - that was my point. We all fear the burglar that can come in our house. The internet has introduce burglars who never need to even be in the same country. Those are the ones I worry about most because they tend to be less noticable.

Lixivial
Jul 1, 2006, 01:28 PM
What! You mean there's a difference? :eek:

I realize there was some semblance of sarcasm in your entire post, but yes there is a large amount of difference between the two. Even still, it's like choosing the lesser of two evils.

I mean, which is worse here; this attack code or the dialog box spoofing (http://forums.macrumors.com/showthread.php?t=212699) (which has been known for almost three years)? Neither are running rampant in the wild for various reasons, but that doesn't make them any less of a security threat.

I feel more secure knowing that this attack code has been patched than having an exploit -- without a patch -- published and potentially in the wild.